Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp991510imm; Fri, 1 Jun 2018 13:13:50 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKTtihaXEECJZdGQ099pIcAdgDclCy71/lEia4aGc40B9o/8cFvAGJ++bMEZ9gQLWFWTffL X-Received: by 2002:a63:3dcc:: with SMTP id k195-v6mr9947844pga.254.1527884029963; Fri, 01 Jun 2018 13:13:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527884029; cv=none; d=google.com; s=arc-20160816; b=eDEsWhGN68jLq+VIto25czM2gQhBzmQ6dEnV31lyjRYYfZE+mNjXS9F2Aq9uvhAQeB YZvLUoSAeeRwUP0j+W1q0A/IBSAiENoCeRNcdseIvTNdkLZLFiCuZiKAqM7zhFuRuU3F a2jS5LGJLuiJA0KOKg5cHKet6WbdR0X/u6MIPq2UtuJ6ChW37B1OgjEiabwyCMq1Knqj 2rJQPsHg6kRBKjM0zWgqi1kqMOZLxCLy8h81LeLXObijrp2ci4yx8ZE3CeP/CzJrUuz4 B+k9WYHlUkbepSEaODuW3EfzHy6MKRb4Gzx36qz8f2RE21eWhrTD2QkYuhBE6mUM7gC2 2uXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=J2S4wXAmkyv9rRzHnXd/yrrfQGGQetMv1c4LrbxdBeg=; b=MN0/PkoNnKJ+KWfbCdGAt6d97FdwncCJfhNZvfxEUM1OC9//PgT6CvqcVaPPmzkqwU L4SEfRbspRF1qOQzyjO1k5k4IZCxYyGSbCrmr+S90qAy5FBwK6RPIspBkYa0YtOT4rwq fn623rzWY6k/lZZxhkEaea2TQsobDOUPWz81IC0evwOu/3usiNW7m7W1SQN2qcbL6mR0 Ke32XR1X8jxnNnjmXP+zNjLbKgrIEKqZsIWpduwsffs3tRDR9BcAQXYrQDENysUirEw8 0Y6htjqyNju1LNoJuUdoGRkuycwNBQ25m0a13s2vU8I+dyop2yOVnAAvxz04AjMN0Jvt JWUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BsXBvXmF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b38-v6si40700923plb.541.2018.06.01.13.13.32; Fri, 01 Jun 2018 13:13:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BsXBvXmF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753116AbeFAUNF (ORCPT + 99 others); Fri, 1 Jun 2018 16:13:05 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:43610 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752107AbeFAUND (ORCPT ); Fri, 1 Jun 2018 16:13:03 -0400 Received: by mail-lf0-f67.google.com with SMTP id n18-v6so16511485lfh.10 for ; Fri, 01 Jun 2018 13:13:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=J2S4wXAmkyv9rRzHnXd/yrrfQGGQetMv1c4LrbxdBeg=; b=BsXBvXmFceuYaPA+28k/nzQ+Hz+GNZxASUTjyoMbCNzYvWdsVtMI766epCyz1vqofL 2wIBBZg7oEVGuLGhBd3BXrPueQ3msBzamTFn1Qft/a0TstnEqZssQs5Lh+mISr4U1Tb6 0aarzib8Q5N9iCiWZBY+F54ijjTGwgSTL4xZGLJZ2Uxwi5FyDMfSPTCGkgjySSZTLFi6 3S/Y+vRqRuSCzui5xHGt1RlgGSOydoa3K1V4YjP+oegB7bgZHXdKYkL641guqj3G9iXl lD/lLG4Qy34y+RA27rwrgYOACuRpwHXA8z/TYHEff/rIB8LSYbFMpDEGzf6dTewc3OBd 6MAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=J2S4wXAmkyv9rRzHnXd/yrrfQGGQetMv1c4LrbxdBeg=; b=B7TZwIvYq2bfmQivRSJK5JqU9rRDp3GOs0knsh2sjRHx2yoO7FDbhbYrzYLO3nUlR3 yU1kzHRfdGCiJl4MPOkyAQsfzc2HzmQtzpTOjVjMC9rziOQn0jCiviLeu4xQaTrn+VT+ V8oO68TqAMvgvdbkkTgXX0pgL9yMRkRjUB4YSjenlJMNJcfFsWoMFi8XsNkcxSMoP/AR bHZS0gEulpGFA8zq6hZQeaCgZbOsASL6D+sB1pdd7GAPCVgL1mPapNqh/DdiqQHfkj6y 3PGlmR7jUOIqjsjygI0T1z+azIAm7vBrn9jkUruFrSDGJb1bwaPYwm9LDvPXexWPa/cz hz+w== X-Gm-Message-State: ALKqPweek4b0PkRCdGhgbtIvigAc76elG267LafCG6gX8UNr58Ea1c66 Vh268Y4YZMxiMQ37qYCaQ8GjpM7D8cXaIZ/VV71U X-Received: by 2002:a19:d744:: with SMTP id o65-v6mr7322256lfg.124.1527883981471; Fri, 01 Jun 2018 13:13:01 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 13:13:00 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <89c5f9c1-cdc4-6d2c-c187-04e94c2b8e75@linux.vnet.ibm.com> References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-9-stefanb@linux.vnet.ibm.com> <20180530124920.g5agxm75x4i6pw6n@madcap2.tricolour.ca> <35894dae-c9c6-aa65-da99-c0283d459878@linux.vnet.ibm.com> <85a2ad4d-6406-ad64-f440-7ab8289ceb2e@linux.vnet.ibm.com> <20180530233413.xz5bs3zb4jwmddpi@madcap2.tricolour.ca> <89c5f9c1-cdc4-6d2c-c187-04e94c2b8e75@linux.vnet.ibm.com> From: Paul Moore Date: Fri, 1 Jun 2018 16:13:00 -0400 Message-ID: Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions To: Stefan Berger , Richard Guy Briggs Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 1, 2018 at 4:00 PM, Stefan Berger wrote: > On 05/30/2018 07:34 PM, Richard Guy Briggs wrote: >> >> On 2018-05-30 17:38, Stefan Berger wrote: >>> >>> On 05/30/2018 05:22 PM, Paul Moore wrote: >>>> >>>> On Wed, May 30, 2018 at 9:08 AM, Stefan Berger >>>> wrote: >>>>> >>>>> On 05/30/2018 08:49 AM, Richard Guy Briggs wrote: >>>>>> >>>>>> On 2018-05-24 16:11, Stefan Berger wrote: >>>>>>> >>>>>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and >>>>>>> the IMA "audit" policy action. This patch defines >>>>>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. >>>>>>> >>>>>>> With this change we now call integrity_audit_msg_common() to get >>>>>>> common integrity auditing fields. This now produces the following >>>>>>> record when parsing an IMA policy rule: >>>>>>> >>>>>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure >>>>>>> \ >>>>>>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \ >>>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ >>>>>>> op=policy_update cause=parse_rule comm="echo" >>>>>>> exe="/usr/bin/echo" \ >>>>>>> tty=tty2 res=1 >>>>>>> >>>>>>> Signed-off-by: Stefan Berger >>>>>>> --- >>>>>>> include/uapi/linux/audit.h | 3 ++- >>>>>>> security/integrity/ima/ima_policy.c | 5 +++-- >>>>>>> 2 files changed, 5 insertions(+), 3 deletions(-) >>>>>>> >>>>>>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h >>>>>>> index 4e61a9e05132..776e0abd35cf 100644 >>>>>>> --- a/include/uapi/linux/audit.h >>>>>>> +++ b/include/uapi/linux/audit.h >>>>>>> @@ -146,7 +146,8 @@ >>>>>>> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity >>>>>>> enable >>>>>>> status */ >>>>>>> #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ >>>>>>> #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs >>>>>>> */ >>>>>>> -#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */ >>>>>>> +#define AUDIT_INTEGRITY_RULE 1805 /* IMA "audit" action policy >>>>>>> msgs */ >>>>>>> +#define AUDIT_INTEGRITY_POLICY_RULE 1806 /* IMA policy rules */ >>>>>>> #define AUDIT_KERNEL 2000 /* Asynchronous >>>>>>> audit >>>>>>> record. NOT A REQUEST. */ >>>>>>> diff --git a/security/integrity/ima/ima_policy.c >>>>>>> b/security/integrity/ima/ima_policy.c >>>>>>> index 3aed25a7178a..a8ae47a386b4 100644 >>>>>>> --- a/security/integrity/ima/ima_policy.c >>>>>>> +++ b/security/integrity/ima/ima_policy.c >>>>>>> @@ -634,7 +634,7 @@ static int ima_parse_rule(char *rule, struct >>>>>>> ima_rule_entry *entry) >>>>>>> int result = 0; >>>>>>> ab = integrity_audit_log_start(NULL, GFP_KERNEL, >>>>>>> - AUDIT_INTEGRITY_RULE); >>>>>>> + AUDIT_INTEGRITY_POLICY_RULE); >>>>>> >>>>>> Is it possible to connect this record to a syscall by replacing the >>>>>> first parameter (NULL) by current->context? >>>> >>>> We're likely going to need to "associate" this record (audit speak for >>>> making the first parameter non-NULL) with others for the audit >>>> container ID work. If you do it now, Richard's patches will likely >>>> get a few lines smaller and that will surely make him a bit happier :) >>> >>> Richard is also introducing a local context that we can then create and >>> use >>> instead of the NULL. Can we not use that then? >> >> That is for records for which there is no syscall or user associated. >> >> In fact there is another recent change that would be better to use than >> current->audit_context, which is the function audit_context(). >> See commit cdfb6b3 ("audit: use inline function to get audit context"). >> >>> Steven seems to say: "We don't want to add syscall records to everything. >>> That messes up schemas and existing code. The integrity events are 1 >>> record >>> in size and should stay that way. This saves disk space and improves >>> readability." >>> >>>>> We would have to fix current->context in this case since it is NULL. We >>>>> get >>>>> to this location by root cat'ing a policy or writing a policy filename >>>>> into >>>>> /sys/kernel/security/ima/policy. >>>> >>>> Perhaps I'm missing something, but current in this case should point >>>> to the process which is writing to the policy file, yes? >>> >>> Yes, but current->context is NULL for some reason. >> >> Is it always this way? If it isn't, which it should not be, we should >> find out why. Well, we should find out why this is NULL anyways, since >> it shouldn't be. > > > When someone writes a policy for IMA into securityfs, it's always NULL. > There's another location where IMA uses the current->audit_context, and > that's here: > > https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_api.c#L323 > > At this location we sometimes see a (background) process with an > audit_context but in the majority of cases it's current->audit_context is > NULL. Starting a process as root or also non-root user, with the appropriate > IMA audit policy rules set, we always see a NULL audit_context here. What does your audit configuration look like? Depending on your configuration a NULL audit_context can be expected, see audit_dummy_context(). I believe the default Fedora audit config will leave you with a NULL audit_context for all processes. I also believe that unless you explicitly set "audit=1" on the kernel command line the init/systemd process will have a NULL audit_context (there was actually a range of kernels where even setting "audit=1" wouldn't be sufficient due to a bug we fixed a little while ago). Look at the audit_alloc() function, it is called when a new process is fork'd and is responsible for allocating a new audit_context. If the currently loaded audit config dictates that auditing is to be disabled for this new process (state == AUDIT_DISABLED) then an audit_context is not allocated and current->context remains NULL. -- paul moore www.paul-moore.com